HIPAA Privacy for Beginners: A Plain-English Guide to the Privacy Rule

HIPAA Privacy Rule Overview

The HIPAA Privacy Rule sets national standards in the United States for how health information is used and shared. It focuses on HIPAA Privacy by defining when your data can move, who may access it, and what protections must be in place to keep it confidential.

Administered by the Department of Health and Human Services, the rule is enforced by the Office for Civil Rights. It balances two goals: protecting your privacy while allowing the health system to function—so care, payment, public health, and research can proceed with appropriate safeguards.

Plain-English goals

• Give you clear rights over your health information.
• Limit how organizations use or disclose it without your authorization.
• Require policies, training, and safeguards across the system.

Protected Health Information Definitions

Protected Health Information (PHI) is individually identifiable health information that relates to your health, care, or payment for care—and is created or received by a Covered Entity or its Business Associates. PHI can be on paper, spoken, or electronic (ePHI).

Common identifiers that make information “identifiable”

• Names
• Geographic details smaller than a state (street, city, ZIP, etc.)
• All elements of dates (except year) tied to an individual (for example, birth, admission, discharge, death); ages 90+ are grouped
• Telephone and fax numbers
• Email addresses
• Social Security numbers
• Medical record and health plan beneficiary numbers
• Account and certificate/license numbers
• Vehicle identifiers and license plates
• Device identifiers and serial numbers
• Web URLs and IP addresses
• Biometric identifiers (for example, fingerprints, voiceprints)
• Full-face photos and comparable images
• Any other unique identifying number, characteristic, or code

What is not PHI

• De-identified data (when identifiers are removed under a recognized method).
• Information about employment kept by a provider in its role as employer.
• Education records covered by other federal laws.

De-identification methods

• Safe Harbor: remove specified identifiers, including those listed above.
• Expert Determination: a qualified expert documents a very small re-identification risk.

Covered Entities and Their Roles

Covered Entities are the core organizations regulated by HIPAA Privacy: health care providers that conduct standard transactions, health plans, and health care clearinghouses. They must implement privacy policies, train staff, and apply safeguards suited to their size and risk.

Notice of Privacy Practices

Covered Entities must give you a Notice of Privacy Practices explaining how they use and disclose PHI, your individual rights, and how to reach their privacy contact. You should receive it at first service (or be able to easily access it) and on request later.

Operational responsibilities

• Designate a privacy official and complaint process.
• Limit access to the Minimum Necessary Standard where it applies.
• Enter Business Associate Agreements when vendors handle PHI.

Business Associates Compliance

Business Associates are vendors or partners that create, receive, maintain, or transmit PHI for a Covered Entity—for example, cloud hosts, billing companies, EHR vendors, and certain consultants. They must follow HIPAA requirements relevant to their services.

Business Associate Agreements (BAAs)

• Define permitted uses/disclosures of PHI by the Business Associate.
• Require safeguards, breach reporting, and downstream protections for subcontractors.
• Permit audits or termination if obligations are not met.

Accountability chain

Subcontractors that handle PHI are also Business Associates and need equivalent contractual and compliance obligations. Everyone in the chain must secure PHI and respect HIPAA Privacy requirements.

Permitted Uses and Disclosures of PHI

HIPAA Privacy permits certain uses and disclosures without your authorization and requires authorization for others. The rule is designed to avoid blocking necessary care while protecting your privacy.

Without your authorization

• Treatment, Payment, and Health Care Operations (TPO), such as care coordination, billing, and quality improvement.
• Public interest and benefit activities (for example, public health reporting, health oversight, certain law enforcement purposes, judicial or administrative proceedings, organ donation, workers’ compensation, or to avert a serious threat).
• Required disclosures: to you upon request and to the Department of Health and Human Services for investigations.

With your authorization

• Most uses outside TPO, including many marketing activities, research that doesn’t qualify for a waiver or limited data set, and sale of PHI.
• Authorizations must be specific, time-limited where appropriate, and revocable in writing.

Related concepts

• Incidental disclosures are permitted only when reasonable safeguards are in place.
• A Limited Data Set (with certain identifiers removed) may be shared for research, public health, or operations under a Data Use Agreement.

Individual Rights Under HIPAA

HIPAA Privacy gives you clear rights so you can see and shape how your information is used. Covered Entities and Business Associates must support these rights within defined timelines.

Right of access

You may inspect or get copies of your PHI in the requested form and format when readily producible. Entities generally must respond within 30 days, with one allowed extension if needed.

Right to request amendments

If you believe your record is incorrect or incomplete, you can request an amendment. If denied, you may submit a statement of disagreement that travels with the record.

Right to an accounting of disclosures

You may request a list of certain non-routine disclosures made in a defined look-back period, excluding TPO and other exempt categories.

Right to request restrictions and confidential communications

You can ask to limit certain disclosures and request communications by alternative means or locations. If you pay out of pocket in full, you can demand that information not be shared with your health plan for that service, except where otherwise required.

Right to a Notice of Privacy Practices and to file complaints

You are entitled to the Notice of Privacy Practices and may file complaints with the provider/plan or the Office for Civil Rights without fear of retaliation.

Minimum Necessary Standard and Enforcement

The Minimum Necessary Standard requires limiting the use, access, and disclosure of PHI to the least amount needed to accomplish the purpose. Covered Entities should adopt role-based access, standard request protocols, and decision criteria to enforce this principle.

Key exceptions

• Disclosures to or requests by a health care provider for treatment.
• Disclosures to you, the individual.
• Uses or disclosures made under your valid authorization.
• Uses or disclosures required by law or for compliance with the rule.

Enforcement and penalties

The Office for Civil Rights investigates complaints, conducts compliance reviews, and can impose civil monetary penalties under a tiered structure based on culpability. Criminal penalties may apply for knowing wrongful disclosures, enforced by federal authorities.

Practical compliance tips

• Maintain current policies, workforce training, and sanctions for violations.
• Use Business Associate Agreements and vendor due diligence.
• Apply technical, physical, and administrative safeguards and audit regularly.
• Document decisions, risk analyses, and responses to incidents.

In short, HIPAA Privacy defines who can use your information, for what purposes, and with what safeguards—while giving you strong rights to access and control. When organizations follow the Minimum Necessary Standard and core requirements, they support both quality care and trust.

FAQs

What types of information does HIPAA protect?

HIPAA protects Protected Health Information—any individually identifiable data about your health, the care you receive, or payment for that care, when held by Covered Entities or their Business Associates. PHI includes clinical details and common identifiers like names, contact data, IDs, and dates tied to you.

How do covered entities differ from business associates?

Covered Entities are providers, health plans, and clearinghouses primarily delivering or paying for care. Business Associates are vendors that handle PHI on their behalf—such as billing services or cloud hosts. Both must safeguard PHI, but Business Associates act under contracts (BAAs) that define permitted uses and required protections.

What rights do individuals have under the HIPAA Privacy Rule?

You have the right to access your records, request amendments, receive an accounting of certain disclosures, ask for restrictions and confidential communications, obtain a Notice of Privacy Practices, and file complaints with the Office for Civil Rights without retaliation.

What are the penalties for HIPAA violations?

Penalties range from corrective action plans to substantial civil monetary penalties under a tiered system that reflects the level of negligence, with amounts adjusted annually. Serious or intentional misconduct can trigger criminal liability in addition to civil enforcement.